PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog

April 21, 2008

I had another post-RSA press release show up in my mailbox today from IBM again pitching their "...breakthrough research initiative from IBM X-Force and IBM Research,
code-named "Phantom", which offers businesses a new means of securing
virtualized server environments."

Besides the rumblings at RSA, I haven't been briefed on this as of yet, but let's explore what we have thus far, keeping it mind that this is described as an "initiative" and not a "product:"

At Phantom's core is industry-leading network and host intrusion protection used to guard the virtual environment and the machines from the inside out. The new technology sits in a secure, isolated partition and integrates with the hypervisor - the layer of management software that coordinates calls between operating systems and computer hardware.

In this description, Phantom is confusingly framed more as a product/solution rather than an initiative and it gets a little fuzzy as to how this qualifies as integration with the hypervisor besides just sitting on top of it, but perhaps this is one of the secrets-in-stealth that defines the breakthroughs mentioned above or perhaps sadly yet another unfortunate translation from Klingon?

If one were to take a quick first-pass, it sounds like they've taken their software-based IBM/ISS IPS solution and turned it into a virtual appliance (that would be the "secure, isolated partition") that runs alongside the VM's in a physical host? This is basically what every other vendor on the planet is currently doing. Integration with SiteProtector and interaction with the hardware-based physical appliances would make sense, too.

Playing futurist, in terms of the more broadly-reaching "initiative" angle, it might leverage some of the research IBM has already done on their secure hypervisor (sHype) or more appropriately rHype (which I believe is Xen-based) as well as the many other virtualization efforts they've hatched to date.

If IBM were going to commercialize this into productized offerings, besides supporting their own hypervisor(s) and virtualization platforms/operating systems first, I'd guess they would aim for supporting VMware first since that's where the dollars are. Or not.

In addition, full visibility of virtual hardware resources would allow Phantom to monitor the execution state of virtual machines, protecting them against both known and unknown threats before they occur.

Roger. Protect intra-vm traffic. And because they can protect "...against both known and unknown threats before they occur" it's psychic to boot! ;)

It is also designed to increase the security posture of the hypervisor - a critical point of vulnerability; because once an attacker gains control of the hypervisor, they gain control of all of machines running on the virtualized platform. For the first time, the hypervisor, the gateway to the virtualized world and all that lays above it, can be locked down.

I'm interested in this part because as most vendor's pitches go, when one digs down deeper, what this really means is that *today* if one can control traffic between the VM's which transit the vSwitch, one can potentially prevent a compromise of a VM leading to a launchpad for an attack on the hypervisor.

What's confusing here is that despite the fact that most hypervisor platform providers consciously limit what is exposed (even in an abstracted state) by the hypervisor, vendors continue to insist that they are "integrated" with and will "lock down" the hypervisor itself. We saw that in the dissection of the Catbird "HyperVisorShield" announcement I wrote about earlier.

Protecting the hypervisor today is really a by-product of protecting the VM's.

Here's another extract from additional coverage of Phantom:

Phantom is a joint effort between IBM's X-Force threat analysis team and the company's research division. It aims to lock down the hypervisor software that IBM systems use to manage virtual machines. "What we're doing through Phantom is we're implementing an IPS (intrusion prevention system)-- an IPS that sits at the hypervisor layer," said Kris Lovejoy, director of strategy for IBM corporate security....The researchers are also building tools that can lock down the hypervisor itself, Lovejoy added. "The hypervisor layer was built for optimum performance, not necessarily effective security," she said. "Our customers are just looking for assurance that their virtualized infrastructure is not going to be the single point of failure."

Aha! See vendors in their press releases continue to reference THE hypervisor in a singular, monolithic manner that seems to imply that their solutions will protect and lockdown any and all hypervisors. I know this point may not be lost on all people, but it's become very difficult to figure out what many of these VirtSec products actually do and which platforms they support.

I think this last paragraph really intimates that in this case we're talking about IBM's hypervisor(s) -- perhaps based upon sHype/rHype or other IBM virtualization platforms -- at least at first.

I'm not knocking IBM or doubting their efforts as they've been at the virtualization game a long time and with the acquisition of ISS, they got a bunch of good talent and a decent product base. I *am* just weary of claims that seem to apply research and "initiatives" in such broad strokes that it becomes difficult to sort the wheat from the chaff.

May 23, 2007

Interop has has been great thus far. One of the most visible themes of this year's show is (not suprisingly) the hyped emergence of 10Gb/s Ethernet. 10G isn't new, but the market is now ripe with products supporting it: routers, switches, servers and, of course, security kit.

With this uptick in connectivity as well as the corresponding float in compute power thanks to Mr. Moore AND some nifty evolution of very fast, low latency, reasonably accurate deep packet inspection (including behavioral technology,) the marketing wars have begun on who has the biggest, baddest toys on the block.

Whenever this discussion arises, without question the notion of "carrier class" gets bandied about in order to essentially qualify a product as being able to withstand enormous amounts of traffic load without imposing latency.

One of the most compelling reasons for these big pieces of iron (which are ultimately a means to an end to run software, afterall) is the service provider/carrier/mobile operator market which certainly has its fair share of challenges in terms of not only scale and performance but also security.

I blogged a couple of weeks ago regarding the resurgence of what can be described as "clean pipes" wherein a service provider applies some technology that gets rid of the big lumps upstream of the customer premises in order to deliver more sanitary network transport.

What's interesting about clean pipes is that much of what security providers talk about today is only actually a small amount of what is actually needed. Security providers, most notably IPS vendors, anchor the entire strategy of clean pipes around "threat protection" that appears somewhat one dimensional.

This normally means getting rid of what is generically referred to today as "malware," arresting worm propagation and quashing DoS/DDoS attacks. It doesn't speak at all to the need for things that aren't purely "security" in nature such as parental controls (URL filtering,) anti-spam, P2P, etc. It appears that in the strictest definition, these aren't threats?

So, this week we've seen the following announcements:

ISS announces their new appliance that offers 6Gb/s of IPS

McAfee announces thei new appliance that offers 10Gb/s of IPS

The trumpets sounded and the heavens parted as these products were announced touting threat protection via IPS at levels supposedly never approached before. More appliances. Lots of interfaces. Big numbers. Yet to be seen in action. Also, to be clear a 2U rackmount appliance that is not DC powered and non-NEBS certified isn't normally called "Carrier-Class."

I find these announcements interesting because even with our existing products (which run ISS and Sourcefire's IDS/IPS software, by the way) we can deliver 8Gb/s of firewall and IPS today and have been able to for some time.

Lisa Vaas over @ eWeek just covered
the ISS and McAfee announcements and she was nice enough to talk about
our products and positioning. One super-critical difference is that along with high throughput and low latency you get to actually CHOOSE which IPS you want to run -- ISS, Sourcefire and shortly Check Point's IPS-1.

You can then combine that with firewall, AV, AS, URL filtering, web app. and database firewalls and XML security gateways in the same chassis to name a few other functions -- all best of breed from top-tier players -- and this is what we call Enterprise and Provider-Class UTM folks.

Holistically approaching threat management across the entire spectrum is really important along with the speeds and feeds and we've all seen what happens when more and more functionality is added to the feature stack -- you turn a feature on and you pay for it performance-wise somewhere else. It's robbing Peter to pay Paul. The processing requirements necessary at 10G line rates to do IPS is different when you add AV to the mix.

The next steps will be interesting and we'll have to see how the switch and overlay vendors rev up to make their move to have the biggest on the block. Hey, what ever did happen to that 3Com M160?

Then there's that little company called Cisco...

{Ed: Oops. I made a boo-boo and talked about some stuff I shouldn't have. You didn't notice, did you? Ah, the perils of the intersection of Corporate Blvd. and Personal Way! Lesson learned. ;) }